AuthorizeForwardedRoleAndOrg checks for proper roles and organization of caller.

AuthorizeOrgAndRole takes in a context and a list of roles, and returns the Node ID of the node.

BootstrapCluster receives a directory and creates both new Root CA key material and a ManagerRole key/certificate pair to be used by the initial cluster manager.

CreateAndWriteRootCA creates a Certificate authority for a new Swarm Cluster, potentially overwriting any existing CAs.

DefaultCAConfig returns the default CA Config, with a default expiration.

DefaultPolicy is the default policy used by the signers to ensure that the only fields from the remote CSRs we trust are: PublicKey, PublicKeyAlgorithm and SignatureAlgorithm.

EncryptECPrivateKey receives a PEM encoded private key and returns an encrypted AES256 version using a passphrase TODO: Make this method generic to handle RSA keys.

FormatRole parses an internal role string into an apiRole.

GenerateAndSignNewTLSCert creates a new keypair, signs the certificate using signer, and saves the certificate and key to disk.

GenerateAndWriteNewKey generates a new pub/priv key pair, writes it to disk and returns the CSR and the private key material.

GenerateJoinToken creates a new join token.

GetAndValidateCertificateSubject is a helper method to retrieve and validate the subject from the x509 certificate underlying a tls.Certificate.

GetLocalRootCA validates if the contents of the file are a valid self-signed CA certificate, and returns the PEM-encoded Certificate if so.

GetRemoteCA returns the remote endpoint's CA certificate.

GetRemoteSignedCertificate submits a CSR to a remote CA server address available through a picker, and that is part of a CA identified by a specific certificate pool.

LoadOrCreateSecurityConfig encapsulates the security logic behind joining a cluster.

LoadTLSCreds loads tls credentials from the specified path and verifies that thay are valid for the RootCA.

LogTLSState logs information about the TLS connection and remote peers.

NewClientTLSConfig returns a tls.Config configured for a TLS Client, given a tls.Certificate the PEM-encoded root CA Certificate, and the name of the remote server the client wants to connect to.

NewConfigPaths returns the absolute paths to all of the different types of files.

NewExternalCA creates a new ExternalCA which uses the given tlsConfig to authenticate to any of the given URLS of CFSSL API endpoints.

NewMutableTLS uses c to construct a mutable TransportAuthenticator based on TLS.

NewRootCA creates a new RootCA object from unparsed PEM cert bundle and key byte slices.

NewSecurityConfig initializes and returns a new SecurityConfig.

NewServer creates a CA API server.

NewServerTLSConfig returns a tls.Config configured for a TLS Server, given a tls.Certificate and the PEM-encoded root CA Certificate.

ParseRole parses an apiRole into an internal role string.

PrepareCSR creates a CFSSL Sign Request based on the given raw CSR and overrides the Subject and Hosts with the given extra args.

RemoteNode returns the node ID and role from the client's TLS certificate.

RenewTLSConfig will continuously monitor for the necessity of renewing the local certificates, either by issuing them locally if key-material is available, or requesting them from a remote CA.

SigningPolicy creates a policy used by the signer to ensure that the only fields from the remote CSRs we trust are: PublicKey, PublicKeyAlgorithm and SignatureAlgorithm.

WithMetadataForwardTLSInfo reads certificate from context and returns context where ForwardCert is set based on original certificate.

AgentRole represents the Agent node type, and is used for authorization to endpoints.

CARole represents the CA node type, and is used for clients attempting to get new certificates issued.

CertLowerRotationRange represents the minimum fraction of time that we will wait when randomly choosing our next certificate rotation.

CertUpperRotationRange represents the maximum fraction of time that we will wait when randomly choosing our next certificate rotation.

DefaultNodeCertExpiration represents the default expiration for node certificates (3 months).

ManagerRole represents the Manager node type, and is used for authorization to endpoints.

MinNodeCertExpiration represents the minimum expiration for node certificates (25 + 5 minutes) X - 5 > CertUpperRotationRange * X <=> X < 5/(1 - CertUpperRotationRange) Since we're issuing certificates 5 minutes in the past to get around clock drifts, and we're selecting a random rotation distribution range from CertLowerRotationRange to CertUpperRotationRange, we need to ensure that we don't accept an expiration time that will make a node able to randomly choose the next rotation after the expiration of the certificate.

PassphraseENVVar defines the environment variable to look for the root CA private key material encryption key.

PassphraseENVVarPrev defines the alternate environment variable to look for the root CA private key material encryption key.

RootCAExpiration represents the expiration for the root CA in seconds (20 years).

RootKeyAlgo defines the default algorithm for the root CA Key.

RootKeySize is the default size of the root CA key.

ErrNoExternalCAURLs is an error used it indicate that an ExternalCA is configured with no URLs to which it can proxy certificate signing requests.

ErrNoLocalRootCA is an error type used to indicate that the local root CA certificate file does not exist.

ErrNoValidSigner is an error type used to indicate that our RootCA doesn't have the ability to sign certificates.

CertificateUpdate represents a change in the underlying TLS configuration being returned by a certificate renewal event.

CertPaths is a helper struct that keeps track of the paths of a Cert and corresponding Key.

ExternalCA is able to make certificate signing requests to one of a list remote CFSSL API endpoints.

MutableTLSCreds is the credentials required for authenticating a connection using TLS.

RemoteNodeInfo describes a node sending an RPC request.

RootCA is the representation of everything we need to sign certificates.

SecurityConfig is used to represent a node's security configuration.

SecurityConfigPaths is used as a helper to hold all the paths of security relevant files.

Server is the CA and NodeCA API gRPC server.